<div dir="ltr">Reading this, I can't help but think back about a question I asked here that (AFAICT) never had an answer, but has now contradictory spec texts that reinforce the confusion.<div><br></div><div>OpenID Connect Session Management 1.0 – draft 26 says:</div><div>> An ID Token typically comes with an expiration date. The RP MAY rely on it to expire the RP session.</div><div>> However, it is entirely possible that the End-User might have logged out of the OP before the expiration</div><div>> date. Therefore, it is highly desirable to be able to find out the login status of the End-User at the OP.</div><div>— Source: <a href="https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification">https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification</a></div><div><br></div><div>Health Relationship Trust Profile for OpenID Connect 1.0 says:<br></div><div>> The ID Token MUST expire and SHOULD have an active lifetime no longer than five minutes.</div><div>– Source: <a href="https://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html#rfc.section.2">https://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html#rfc.section.2</a></div><div><br></div><div>I believe I had seen that last recommendation elsewhere in OpenID Connect specs (probably earlier drafts of the Core spec, back when it was split in several documents), and that was what motivated my question months ago (actually more like two years ago I believe) related to the Session Management draft.</div><div><br></div><div>My interpretation is that Session Management actually is wrong recommending using the ID Token expiration as a baseline for session expiration. Can someone please confirm?</div><div>(if you prefer I instead create an issue at BitBucket, I can do that too)</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Feb 16, 2016 at 2:40 AM Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal"><span style="color:#002060">FYI<u></u><u></u></span></p>
<p class="MsoNormal"><a name="msg-f:1526293396654599156__MailEndCompose"><span style="color:#002060"><u></u> <u></u></span></a></p>
<span></span>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Mike Jones <br>
<b>Sent:</b> Monday, February 15, 2016 5:39 PM<br>
<b>To:</b> <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> HEART Implementer’s Drafts Approved <u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">The following notice was posted at <a href="http://openid.net/2016/02/15/heart-implementers-drafts-approved/" target="_blank">
http://openid.net/2016/02/15/heart-implementers-drafts-approved/</a>:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p style="line-height:15.0pt"><b><span style="font-size:14.0pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">HEART Implementer’s Drafts Approved<u></u><u></u></span></b></p>
<p style="line-height:15.0pt"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">The OpenID Foundation members have approved of the following specifications as OpenID Implementer’s Drafts:<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:18.75pt;line-height:15.0pt">
<u></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span style="font:7.0pt "Times New Roman"">      
</span></span></span><u></u><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Health Relationship Trust Profile for OAuth 2.0<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:18.75pt;line-height:15.0pt">
<u></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span style="font:7.0pt "Times New Roman"">      
</span></span></span><u></u><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Health Relationship Trust Profile for OpenID Connect 1.0<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:18.75pt;line-height:15.0pt">
<u></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span style="font:7.0pt "Times New Roman"">      
</span></span></span><u></u><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Health Relationship Trust Profile for User Managed Access 1.0<u></u><u></u></span></p>
<p style="line-height:15.0pt"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification.<u></u><u></u></span></p>
<p style="line-height:15.0pt"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">The specifications are available at:<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:18.75pt;line-height:15.0pt">
<u></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span style="font:7.0pt "Times New Roman"">      
</span></span></span><u></u><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a"><a href="http://openid.net/specs/openid-heart-oauth2-1_0-ID1.html" target="_blank">http://openid.net/specs/openid-heart-oauth2-1_0-ID1.html</a><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:18.75pt;line-height:15.0pt">
<u></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span style="font:7.0pt "Times New Roman"">      
</span></span></span><u></u><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a"><a href="http://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html" target="_blank">http://openid.net/specs/openid-heart-openid-connect-1_0-ID1.html</a><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:18.75pt;line-height:15.0pt">
<u></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span style="font:7.0pt "Times New Roman"">      
</span></span></span><u></u><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a"><a href="http://openid.net/specs/openid-heart-uma-1_0-ID1.html" target="_blank">http://openid.net/specs/openid-heart-uma-1_0-ID1.html</a><u></u><u></u></span></p>
<p style="line-height:15.0pt"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">The voting results were:<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:18.75pt;line-height:15.0pt">
<u></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span style="font:7.0pt "Times New Roman"">      
</span></span></span><u></u><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Approve – 34 votes<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:18.75pt;line-height:15.0pt">
<u></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span style="font:7.0pt "Times New Roman"">      
</span></span></span><u></u><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Object – 1 vote<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:18.75pt;line-height:15.0pt">
<u></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a"><span>·<span style="font:7.0pt "Times New Roman"">      
</span></span></span><u></u><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Abstain – 11 votes<u></u><u></u></span></p>
<p style="line-height:15.0pt"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">Total votes: 46 (out of 204 members = 23% > 20% quorum requirement)<u></u><u></u></span></p>
<p style="line-height:15.0pt"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#5a5a5a">— Michael B. Jones – OpenID Foundation Board Secretary<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>

_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>